diff --git a/deploy/README.md b/deploy/README.md index a8ac4f2449f99..3cb94e4eae701 100644 --- a/deploy/README.md +++ b/deploy/README.md @@ -18,13 +18,14 @@ $ LOAD_BALANCER=route ./deploy/openshift/deploy.sh Most environment variables can be found in [common/env.sh](common/env.sh). -| **Name** | **Values** | **Description** | -|--------------------|-----------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| `COLLECTION_METHOD` | `ebpf` \| `kernel-module` | Set the collection method for collector. | -| `HOTRELOAD` | `true` \| `false` | `HOTRELOAD` mounts Sensor and Central local binaries into locally running pods. Only works with docker-desktop. Alternatively you can use ./dev-tools/enabled-hotreload.sh. Note however that this will break the linter: https://stack-rox.atlassian.net/browse/ROX-6562 | -| `LOAD_BALANCER` | `route` \| `lb` | Configure how to expose Central, important if deployed on remote clusters. Use `route` for OpenShift, `lb` for Kubernetes. | -| `MAIN_IMAGE_TAG` | `string` | Configure the image tag of the `stackrox/main` image to be deployed. | -| `MONITORING_SUPPORT` | `true` \| `false` | Enable StackRox monitoring. | -| `REGISTRY_USERNAME` | `string` | Set docker registry username to pull the docker.io/stackrox/main image. | -| `REGISTRY_PASSWORD` | `string` | Set docker registry password to pull the docker.io/stackrox/main image. | -| `STORAGE` | `none` \| `pvc` | Defines which storage to use for the Central database, to preserve data between Central restarts it is recommended to use `pvc`. | +| **Name** | **Values** | **Description** | +|-------------------------|-----------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| `COLLECTION_METHOD` | `ebpf` \| `kernel-module` | Set the collection method for collector. | +| `HOTRELOAD` | `true` \| `false` | `HOTRELOAD` mounts Sensor and Central local binaries into locally running pods. Only works with docker-desktop. Alternatively you can use ./dev-tools/enabled-hotreload.sh. Note however that this will break the linter: https://stack-rox.atlassian.net/browse/ROX-6562 | +| `LOAD_BALANCER` | `route` \| `lb` | Configure how to expose Central, important if deployed on remote clusters. Use `route` for OpenShift, `lb` for Kubernetes. | +| `MAIN_IMAGE_TAG` | `string` | Configure the image tag of the `stackrox/main` image to be deployed. | +| `MONITORING_SUPPORT` | `true` \| `false` | Enable StackRox monitoring. | +| `MONITORING_ENABLE_PSP` | `true` \| `false` | Generate PodSecurityPolicies for monitoring. Defaults to `false`, as PSPs were deprecated in k8s 1.25. | +| `REGISTRY_USERNAME` | `string` | Set docker registry username to pull the docker.io/stackrox/main image. | +| `REGISTRY_PASSWORD` | `string` | Set docker registry password to pull the docker.io/stackrox/main image. | +| `STORAGE` | `none` \| `pvc` | Defines which storage to use for the Central database, to preserve data between Central restarts it is recommended to use `pvc`. | diff --git a/deploy/charts/monitoring/templates/pod-security-policy.yaml b/deploy/charts/monitoring/templates/pod-security-config.yaml similarity index 89% rename from deploy/charts/monitoring/templates/pod-security-policy.yaml rename to deploy/charts/monitoring/templates/pod-security-config.yaml index ee21368e4a7b1..b80b4f473b2f9 100644 --- a/deploy/charts/monitoring/templates/pod-security-policy.yaml +++ b/deploy/charts/monitoring/templates/pod-security-config.yaml @@ -1,11 +1,12 @@ kind: ClusterRole apiVersion: rbac.authorization.k8s.io/v1 metadata: - name: stackrox-monitoring-psp + name: stackrox-monitoring labels: app.kubernetes.io/name: stackrox app: monitoring rules: +{{- if .Values.enableMonitoringPSPs }} - apiGroups: - policy resources: @@ -14,6 +15,7 @@ rules: - stackrox-monitoring verbs: - use +{{- end }} - apiGroups: [""] resources: - endpoints @@ -25,7 +27,7 @@ rules: apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: - name: stackrox-monitoring-psp + name: stackrox-monitoring namespace: {{ .Release.Namespace }} labels: app.kubernetes.io/name: stackrox @@ -33,12 +35,13 @@ metadata: roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole - name: stackrox-monitoring-psp + name: stackrox-monitoring subjects: - kind: ServiceAccount name: monitoring namespace: {{ .Release.Namespace }} --- +{{- if .Values.enableMonitoringPSPs }} apiVersion: policy/v1beta1 kind: PodSecurityPolicy metadata: @@ -75,3 +78,4 @@ spec: ranges: - min: 4000 max: 4000 +{{- end }} diff --git a/deploy/charts/monitoring/values.yaml b/deploy/charts/monitoring/values.yaml index d1b526951707b..f98bcd5c4c7ce 100644 --- a/deploy/charts/monitoring/values.yaml +++ b/deploy/charts/monitoring/values.yaml @@ -37,3 +37,5 @@ alertmanager: group_by: [alertname] configmapReload: enabled: true + +enableMonitoringPSPs: ${MONITORING_ENABLE_PSP} diff --git a/deploy/common/env.sh b/deploy/common/env.sh index 8e18b6ea9b5ae..6d50b8a1bc403 100644 --- a/deploy/common/env.sh +++ b/deploy/common/env.sh @@ -21,6 +21,9 @@ echo "ROX_HTPASSWD_AUTH set to $ROX_HTPASSWD_AUTH" echo "MONITORING_SUPPORT set to ${MONITORING_SUPPORT}" +export MONITORING_ENABLE_PSP=${MONITORING_ENABLE_PSP:-false} +echo "MONITORING_ENABLE_PSP set to ${MONITORING_ENABLE_PSP}" + export CLUSTER=${CLUSTER:-remote} echo "CLUSTER set to $CLUSTER"